This is Sue Bohn, Partner Director of Program Management for Identity and Access Management. We're back with another mailbag focusing on your common questions on Azure Active Directory provisioning. A key Identity and Access Management (IAM) component, provisioning makes sure the right accounts are being created in the right resources with the right info. Or the inverse, when a user leaves or changes roles. It’s also an event that can be automated to reduce complexity and mistakes in the environment. Finally, it’s extremely useful for governance processes like compliance regulations. If you haven’t started to think about how you're doing provisioning in your environment, these questions will help you get the conversation started.
---
I’m Corissa Koopmans from the Azure Active Directory (Azure AD) Get-To-Production team. Recently, I worked with Ramiro Calderon to record a series of videos around Identity Provisioning. This isn’t a new topic, but there have been many changes in the space due to the increase of hybrid environments, cloud applications with modern protocols and guest users. In this blog, we’re going to expand on some of the common questions we hear from our customers about Identity provisioning with Azure AD.
Q1: Why is identity provisioning important?
Most organizations are in a hybrid state, having identities on-premises (on-prem) and in the cloud. Their employees are using a ton of apps from multiple devices and it’s not unusual to have more than one HR application. Identity provisioning receives data from an authoritative source and creates corresponding accounts in the cloud, in Active Directory and to the different applications, relating them to one specific user.
Provisioning tools can reduce complexity for IT Admins through automation of onboarding, offboarding and other workforce processes that are a result of a change in status.1 A user’s status can change due to taking on a new role, updating a device, changing groups or retiring, just to name a few. Being able to automate provisioning is so important because it can give new employees access to everything they need to be efficient at work on day one. Moreover, when someone leaves the company, identity provisioning tools can automatically revoke access, which is critical for governance and compliance regulations.
Q2: How does identity provisioning with Azure Active Directory help me give my employees access to cloud resources?
Many of our customers want to know how they can provision their employees from an authoritative source, wherever that may be, to cloud applications in the most efficient way possible. The diagram below is a simple illustration of that goal:
Before Azure AD, organizations would have to maintain the connections between their on-prem directory and cloud applications. With the amount of cloud apps used today, this could mean thousands of applications and thousands of connections to manage, which was not scalable. Azure AD has integrated with the most-used apps in the industry and monitors the connectors to those cloud apps so you don’t have to. Azure AD also introduced the ability to set up conditional access policies, which allows organizations to have more control over who accesses their resources and from where.
Let’s cover the most commons scenarios of how you provision users to cloud resources with Azure AD:
- Directory + App Provisioning: If the user already exists in your on-prem directory, the sync engine will send their identity data to Azure AD one of two ways (and the two can happen simultaneously):
- Azure AD Connect which syncs your identity data between your on-prem directory and Azure AD.
Figure 1.1 Azure AD Connect Sync
- Azure AD Connect cloud provisioning which provisions identity data from a disconnected environment to Azure AD.
- Azure AD Connect which syncs your identity data between your on-prem directory and Azure AD.
Once the users are in Azure AD, app provisioning automatically creates user identities in the cloud applications that they need access to.
This all comes together in the diagram below. You can also watch our videos on identity provisioning where we will walk through these flows, step by step.
- Cloud HR + App Provisioning: If you’re using a cloud HR System, such as WorkDay or SuccessFactors, you create a record in the HR system when you hire someone. From there, the user is automatically provisioned to the on-prem directory (steps 1-4) and then Azure AD Connect syncs changes to Azure AD (step 5). From there, app provisioning takes the user identities from the cloud directory to your applications (step 6). Finally, the email addresses and username attributes are written back to the cloud HR app tenant (step 7).
Q3: Which applications are currently integrated for provisioning with Azure AD?
You can see all the applications in the gallery that support provisioning by selecting Automated Provisioning under User Account Management, highlighted in the image below.
Microsoft 365 applications are all integrated with Azure AD, including Microsoft Intune, Office, Teams, Azure, etc. For Cloud HR apps, Workday and SuccessFactors are currently integrated and more will be added in the future. We also have tutorials for integrating popular outbound apps including SAP Identity Authentication Service, Oracle Fusion ERP, and GSuite.
You can also leverage the bring your own apps option to integrate any SCIM compliant application. And finally, if there is third party SaaS app you cannot find in our gallery, you can request it to be added by going to the Microsoft Application Network.
Q4: Is it possible to provision users from two different Workday instances to a single Azure AD tenant?
Yes, this is possible. A different enterprise app will need to be created for each Workday instance. The same on-prem agents can be used because they are bound to the tenant, not the provisioning app. This works well when the Workday instances are entirely separate. For example, there are no users moving between the two instances and there are no users in one instance with a manager in another.
If you have multiple domains, you can add an instance of the Workday app for each Active Directory domain you need to provision to.
Q5: If I invite a user outside of my organization, such as a partner or other external collaborator, how are those users provisioned?
When you invite users outside of your organization, they are added as an object to your Azure AD tenant through a process of sending and redeeming invitations. The user can be coming from another Azure AD directory, from another third party Identity Provider or simply just have an email. Once the user has accepted the invitation and an object is created for them in your Azure AD tenant (Resource Tenant), they can be treated like any other user, added to groups, assigned roles, etc. This is great when you want to collaborate with specific users.
If you want to collaborate with many people inside another organization and the specific users are not yet defined, you can add the company as a connected organization in Azure AD. You can ensure that access is being governed by requiring external users to accept a terms of use agreement, assigning access packages, which allows access to only selected applications for a set period of time, and requiring access reviews. Access reviews can be done by a delegated admin or you can choose to have users self-report whether or not they need access. Based on the results from the access review, you can take action to delete the user who no longer need access and this will remove them from your tenant.
Follow these links for more information:
- What is Identity Governance
- What is guest user access in Azure AD B2B?
- Identity Architecture Video Series- External Identity Provisioning
Q6: Can I control which users or groups are provisioned with Azure AD Connect cloud provisioning agent?
Yes. You’re able to filter which users go into Azure AD using Domain/OU (Organizational Unit) or Group filtering with cloud provisioning agents. It’s important to note that OU and Group filtering are mutually exclusive, you cannot use both.
For a list of the features available with cloud provisioning, click here.
Q7: Do the Azure AD Connect cloud provisioning agents integrate with Azure AD Connect Health?
The health of Azure AD Connect cloud provisioning agents are reported in the portal, under Manage provisioning. An admin will also receive email notifications if the health status of the provisioning job changes.
Q8: How do I know if users were successfully provisioned to Azure AD?
You can view the Provisioning logs in Azure AD to see which users were successfully or unsuccessfully created as well as any other changes you make to Azure AD. You can filter the provisioning data on the type of identity (user, group, role or other object), status, action, date, Job ID, Cycle ID and Change ID.
Q9: I already have on-prem provisioning, how can I start taking advantage of the cloud provisioning?
You can start using Azure AD for provisioning of net-new SaaS applications that are supported by Azure AD (via connector or SCIM).
It’s also a good idea to start thinking about attribute flows. Verify the type of attributes the apps are requesting, configure MIM to bring those attributes from the authoritative source, and set up Azure AD Connect to send those attributes to Azure AD. This way, you will be positioned to switch to cloud provisioning when you’re ready .
Next Steps:
Identity provisioning is an important part of your identity and access management solution, and we recommend these great resources as next steps to learn more:
If you’re wondering if Azure AD Connect cloud provisioning suits your needs, check out the supported topologies and scenarios:
- Multi-forest, single Azure AD tenant
- Existing forest with Azure AD Connect, new forest with cloud Provisioning
- Piloting Azure AD Connect cloud provisioning in an existing hybrid AD forest
- Single forest, single Azure AD tenant
For more information about app provisioning and how it works:
- How the provisioning service works
- Develop your own SCIM application
- What is application provisioning?
And for cloud-based human resource applications:
Please feel free to leave any additional questions or comments below. Your feedback is greatly appreciated.
- Corissa Koopmans, Ramiro Calderon, Mark Wahl, Mark Morowczynski, Nitika Gupta, Arvind Harinder and Chetan Desai
For any questions you can reach us at AskAzureADBlog@microsoft.com, Tech Communities or on Twitter @AzureAD, @MarkMorow and @Alex_A_Simons. You can also ask questions in the comments of this post.
Additional Sources: